Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unintrusive Traffic Content Monitoring?

Posted by Cliff on from the closing-the-outgoing-floodgates-on-your-Intranet dept.

fuzzybunny asks: "I've recently been given my turn in the bucket as head tech guy at a startup in Germany. We deal with backend monetary transactions for companies that need to send bills, and as such handle large quantities of personal and confidential financial information. I've been informed that in order to comply with financial due diligence laws here, as well as to guard against sabotage by angry employees (not that we have any), I have to figure out some way to sniff outbound network traffic for stuff that's not supposed to leave the company network."" Internal security is something all network adminstrators will have to deal with at some point or another. Are there methods they can employ to insure that data that's supposed to stay in the network, isn't encouraged to take a nightly stroll somewhere it isn't supposed to without excessively violating the privacy of the users?

"I realize that someone who wants to get confidential information out can easily circumvent any technical measures (copy to floppy, encrypt mail, print out, etc.) However, the idea here is to force someone to take that extra willful step.

Given that I categorically refuse to sniff general network traffic, block URLs, or generally look over people's shoulders, I am looking for a solution that lets me automatically watermark non-ascii files and just sniff for certain binary strings on outgoing traffic, while keeping any non-matching traffic completely anonymous. Any ideas on this?"

11 of 82 comments (clear)

  1. Bare Minimum it is then... by jpowers · · Score: 4

    Set up a proxy server and force all outbound traffic over it. Tell the users it's to filter for Outlook viruses or some (.V)BS. Shut down all but a few ports, then run a packet sniffer to watch the ports you open. The proxy server has to be able to handle all the traffic, so if you have a LAN/WAN setup, you can use the proxy as a gateway between LAN servers and WAN/external traffic (so it won't slow down the outside users' access to your webpage).

    We already do this (though the packet sniffer's for diagnostics only): LAN w/NT server+100 clients, proxy w/sniffer to get through to the WAN (Sun SPARCs for DBASE and web server), then another "standard" firewall out beyond the WAN to get to the internet. That way they have to get through two firewalls to get to our files from outside, and the inside users get their files scanned on the way out. Non-intrusive as we could make it, once the machines are set up for proxy the users don't know the difference. The packet sniffer's a 10-year-old SPARC classic, so we're not talking about major investment of $$$ here.

    -jpowers

    --

    -jpowers
  2. Re:Simple, common sense things you can do. by mindstrm · · Score: 3

    And..
    Don't publish your security methods openly.

  3. One approach to outgoing data we use by SIGFPE · · Score: 3

    Most transactions that are legitimate involve large numbers of small batches of outgoing data and larger amounts of incoming data (using realaudio, downloading useful software, reading slashdot). Transactions that are frowned upon (eg. sending out images (our job, as a company, is to make pictures)) involve lots of data going out. So the solution I came up with was to throttle data going out to 3K/s for the entire company (50-60 people). (Mail and incoming http is through a server or proxy so isn't counted in this.) Everyone seems happy now. This isn't something that will work for most people but for those in the situation that the items of value are rather large (many megs) it seems to work well. Of course someone can keep an ftp connection open for many hours but (1) everyone would rapidly notice if someone does this excessively and (2) outside work hours (8am-8pm approx.) all IP traffic from individuals to the oustide world is throttled to 0K/s. There's no point being 100% secure - people can hook up an external drive to their PC or even photograph images on their screen using a digital camera.
    --

    --
    -- SIGFPE
  4. If you really need a tight network... by Malor · · Score: 5

    Your fundamental goal -- allowing anonymous, untracked internet usage, while simultaneously being *absolutely sure* that unauthorized data isn't getting out -- is impossible.

    The traditional method of access control in this sort of circumstance is a proxy-style firewall. However, I don't know of any proxy firewalls that can inspect for specific content. They can check for correctness of protocol data, but I don't know of any way to set off klaxons and call the police if the user manages to embed today's secret word in an HTTP:// request.

    You definitely can't use packet-level firewalls for this purpose, even stateful inspection ones, because users can bury any data they want in traffic bound for, say, port 80. It doesn't have to be just HTTP. Packet-level firewalls just work on port pairings. Example: if I were ever in a network that refused me access to my home machine, I'd probably just tunnel through port 80, which is open 90% of the time. A proxy firewall would stop that: a packet firewall will not.

    It might be possible to custom-code an outbound content filter into an open-source proxy like Squid. Squid isn't a firewall, so you'd probably have to dual-home your Squid box (to make it the only way out) and then have a firewall between it and the outside.

    Even at that level, it would still be possible to sneak things out. Almost any system that allows two-way communication can have arbitrary data inserted into the data stream in a way that is very inobvious to even a savvy network admin. Just a few days ago I saw a method to tunnel IP networking over DNS requests. (seriously). I think it was probably posted here on /. if you're interested. Good luck catching THAT with a sniffer. :-)

    What this all boils down to is this: if you allow any form of two-way communication into your network, then employees can get data out. Period. And there's no way you can know what it is without extensive and highly sophisticated pattern analysis.

    If the data is really sensitive, you might consider the old 'air gap' solution; have a private network that isn't connected to the outside in ANY WAY, and then an external network that employees use on a day-to-day basis. If you put that network on a hub, or on a switch that supports port mirroring, you should be able to monitor all traffic on that private network (assuming you don't exceed, in aggregate, the bandwidth on your monitoring port if you're switch-based) and ensure that no foreign MAC addresses show up on the network, and that all the traffic stays local. You can't, of course, control what users do with things like floppy disks. However, having the separate high-security network will let you monitor intensely enough to be aware that a given employee is accessing data they don't normally need access to. At least, it can do that if you're willing to put the effort into writing/customizing the monitoring tools. Definitely a non-trivial effort.

    If you can't build two networks, then you probably shouldn't even bother monitoring. It won't do you any good. Anyone out there with a real clue will waltz right past any protections you might set up.

  5. The solution is not technical by Enoch+Root · · Score: 3
    I know, I know. Every geek tends to answer a human problem with a technical answer. I should know, I worked for one year as a CSO for a large company. (Won't say which, but suffice to say it's a subsidiary of Canada's largest e-commerce firm.) The answer, in this case, is simple:

    Put a use of confidential information clause in their contract, and threaten to sue them to hell should they ever breach it.

    Now, you may not like this. It's not pretty. But that's the way to do it. If you try to patch the system with a technical solution, they'll never respect it, because hackers figure if they can find a hole, it's their god-given right to exploit it. But trust me, every script kiddie gives up his tactics when he's slapped with a FBI (RCMP in Canada) search warrant and threats of legal action. Ditto with employees.

    This way, you won't even have to bother with configuring your system. Just sue one guy as an example to others, that works well also. It may not be really cool; but trust me, it's effective.

  6. It's the same deal as always... by Chiasmus_ · · Score: 4

    If someone is really smart and wants to steal or transfer company records behind your back, he or she will find a way. It can be disguised, routed through unusual channels, encypted, or even sent out in screen shot format as a bunch of JPGs.

    If, on the other hand, they're an idiot, and sending the stuff out either recklessly or accidentally, you don't need technology to handle it. Either look over their shoulder once in a while, or get them drunk.

    So, do what companies always do: the bare minimum required to meet legal standards, and grudgingly, at that.

    --
    "Beware he who would deny you access to information, for in his heart he deems himself your master."
  7. Monitor Certain Ports/Automated Scanning by LaNMaN2000 · · Score: 4

    If I were in your position, I would ensure that no outbound traffic travels on non-standard ports that have not first been registered with IT (to prevent DDoS clients from being installed/managed, BackOrifice from being installed, etc. Also, I think that installing an automated scanner for e-mail, prohibiting attachments larger than a certain size, etc. would be prudent. Personally, I would not find it invasive if I was told, as an employee, what type of e-mail would raise a flag with the automatic scanner and esured that my mail would not be read by another human being unless it was potentially dangerous.

    Basically, the most important thing, from an employees perspective, with network scanning is full disclosure. I would feel violated if my personal transmissions were searched without my knowledge, but I think most people would understand the need for tight security given the inherent insecurity of an Internet connection.

    --

    ByteMyCode.com: A Web 2.0 code sharing community.
  8. No good technology solution... by kabir · · Score: 4

    Ultimately there is no good solution to this sort of problem. Various technologies have been developed (usually in concert with a government) which allow data to be labled, etc. While there are some rudimentary barriers to moving around labled data, it's nothing your average school kid couldn't circumvent.

    The truth of the matter is this: you have chosen to trust your employees (at various levels). They must be trusted in order to do their jobs properly. If they choose to violate that trust, you will be unable to stop them.

    Now, it is possible to make that sort of thing much more difficult, but the methods are not terribly reasonable, and usually incompatible with business practices.

    In terms of monitoring outbound traffic for sensitive data, well, forget it. Heck, even compression will ruin pattern matches. Better to simply spend more time evaluating how trustworth potential employees are before hiring them into sensitive, high access positions. Get background checks and be a good judge of character.

    Oh, and cross your fingers.
    --

    --
    Behold the Power of Cheese!
  9. Limit the visibility employees have to data by Enonu · · Score: 4

    ALL other solutions are either impractical or can be circumvented, perhaps by just pencil and paper :)

  10. Yes. by mindstrm · · Score: 3

    Switches running with security settings; static switch tables.. .run a network with static arp if you want.

    Aggressive firewalling

    Make sure all mail is logged.
    Make sure all web traffic is proxied and filtered, if it even needs to be there at all. And log everything.

    As for 'protecting privacy' of individuals.. you can't really have it both ways. IF it's a financial network, and people are expected to confrom to a high level of security, it is completely within the rights (most likely) of your company to audit EVERY communication going in or out of the network.

    Simply take away their expectation of privacy.

    Oh.. also, insist that all mail be escrow-keyed, and signed, or it can't hit the servers. This leaves you an accountability trail.

    IN fact, if it's a really secure installation, why do you even need live internet to people's desks?

  11. Actually, yes you can. by Bazzargh · · Score: 3

    Okay, this is not an ideal solution, but it is a solution.

    Internet
    ---------------------------------------- firewall
    Demilitarized Zone
    [ Terminal Server (WTS or an X server) ]

    ---------------------------------------- firewall
    Internal LAN [ client PC goes here ]

    Internal users use netscape on the terminal server. This prevents you from leaking information without retyping. However it prevents you from pulling in downloads, and sending email with attachments to customers.

    For downloads, open up inbound FTP connections to a fileserver in the DMZ. For outbound emails, warn that emails from the LAN are scanned, and do it. If people want to send a private message, they can use the X or ICA netscape client. This way your users opt in to be scanned when they are deliberately leaking information, because thats what the job requires. Using the X client, all they would have to laboriously retype the information.

    Depending on the size of the company, you could scan ALL of these messages by hand, since most outbound mail will be personal or brief.

    I didnt say it didnt suck. But it does hang together.